BIOS

WATCH LIVE

Equifax Canada seeks to regain trust in its security after major U.S. breach

Equifax Canada's chief privacy officer says there's no evidence of fraudulent activity on the Canadian accounts hacked in last year's massive data breach at its U.S. parent company.

David Paddon, The Canadian Press
Published Wednesday, January 24, 2018 12:30PM EST
Last Updated Wednesday, January 24, 2018 3:50PM EST

TORONTO -- Equifax Canada's reputation took a hit after its U.S. parent revealed a massive data breach last year, but chief privacy officer John Russo says the 19,000 affected Canadian accounts haven't been linked to any fraud.

Russo's assurances come as the credit monitoring company promoted its new Canadian income and employment verification service for lenders amid stricter mortgage rules.

Under a new standard, federally regulated mortgage lenders have been required since Jan. 1 to do stress tests on a prospective borrower's ability to withstand an increase in interest rates even if they don't require mortgage insurance.

"There's increased rigour when they have to verify third-party information," Russo said. "They can't just rely on pay stubs and stuff that you bring as a borrower. They have to use an independent source."

Equifax was tight-lipped in the aftermath of the hack last year.

In promoting the new service, Russo acknowledged that the company's reputation as a custodian of sensitive personal data took a hit with the leak of confidential information for about 145 million Americans from one of several Equifax databases.

The breach included names, addresses and social security and credit card numbers, as well as usernames, passwords and secret question/secret answer data.

Equifax's reputation was damaged by the sensitivity of the information, the security lapse that allowed the leak and the delay in announcing the breach.

While the company didn't announce the hack until Sept. 7, it was discovered in July and likely began in mid-May.

The Atlanta-based company was also initially unable to say how many Canadians were affected, then estimated the number at 100,000 on Sept. 19, 8,000 on Oct. 2 and the current estimate of 19,000 on Nov. 28.

"First and foremost, I would say 'sorry' to all Canadians," Russo said -- repeating an apology that he delivered in December to a House of Commons committee in Ottawa.

Russo noted that, as of this week, none of the Canadians who used the hacked U.S. server has reported any signs of identity theft since they were notified of the risk.

The company's monitoring has also found no evidence the Canadian account information has been bought or sold.

Paul Taylor, president and CEO of Mortgage Professionals Canada, said Equifax's new income and employment verification service has potential if it works as intended.

But Taylor said he has no way to judge whether it will meet OSFI's requirements or be cost-effective for mortgage lenders.

"I think lenders are already doing quite thorough due diligence of income verification on mortgage applications these days," Taylor said.

Media representatives for the federal privacy commissioner and the main federal banking watchdog said their offices are aware of Equifax's new Canadian verification service but they have no role in validating new products.